Web Application Analysiswebfuzzerbruteforcedirectoryinjectionfuzzing

Wfuzz

Wfuzz is a web application bruteforcer designed for finding unlinked resources such as directories, servlets, and scripts. It supports bruteforcing GET and POST parameters, forms, and fuzzing for various injections.

Description

Wfuzz is a tool designed for bruteforcing Web Applications, capable of discovering resources not linked like directories, servlets, scripts, etc. It can bruteforce GET and POST parameters to check for different kinds of injections including SQL, XSS, LDAP, and more. Additionally, it supports bruteforcing form parameters such as User/Password and general fuzzing tasks.

The tool replaces FUZZ keywords in URLs or parameters with values from specified payloads, such as wordlists, enabling systematic testing of web endpoints. It provides filtering options to hide common responses like 404s and focus on interesting results. Wfuzz is versatile for web security testing, from directory enumeration to parameter manipulation.

Usage involves specifying payloads with -z, URLs with FUZZ placeholders, and various options for output, concurrency, and filtering to tailor scans efficiently.

How It Works

Wfuzz operates by replacing FUZZ, FUZZnZ, or FUZZ{baseline_value} keywords in URLs, POST data, headers, or authentication strings with values from payloads specified via -z (e.g., file wordlists) or iterators (-m). It sends concurrent HTTP requests (default 10, configurable with -t), supports methods like GET/POST/HEAD via -X, and follows redirections (-L). Responses are filtered by status codes (--hc/--sc), size (--hl/--sl), regex (--ss/--hs), or expressions (--filter), using baseline comparisons (BBB). Scripts and plugins enhance scanning, with proxy support (-p), delays (-s), and output customization (-o, -f). Encoders chain transformations on payloads.

Installation

bash

sudo apt install wfuzz

Flags

-cOutput with colors

-z payloadSpecify a payload for each FUZZ keyword in the form of name[,parameter][,encoder]

--hc N[,N]+Hide responses with the specified code (e.g., --hc 404)

-w wordlistSpecify a wordlist file (alias for -z file,wordlist)

--helpAdvanced help

-vVerbose information

-t NSpecify the number of concurrent connections (10 default)

-R depthRecursive path discovery being depth the maximum recursion level

--script=<plugins>Runs script's scan. <plugins> is a comma separated list of plugin-files or plugin-categories

Examples

Use colour output (-c), a wordlist as a payload (-z file,...), and hide 404 messages (--hc 404) to fuzz the given URL

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.202/FUZZ

Display help information for wfuzz

wfuzz --help

Fuzz a URL using a common wordlist payload, replacing FUZZ with wordlist entries

wfuzz -z file,/usr/share/wfuzz/wordlist/general/common.txt http://example.com/FUZZ

Colored output fuzzing hiding 404 and 403 responses

wfuzz -c -z file,wordlist.txt --hc 404,403 http://testsite/FUZZ

Bruteforce login form POST parameters using a list payload

wfuzz -z list,admin-users-pass -d "user=FUZZ&pass=FUZZ" --hc 404 http://site/login

Recursive directory discovery up to depth 2

wfuzz -z file,dirs.txt -R 2 http://site/FUZZ

Print results of requests without making actual HTTP requests

wfuzz --dry-run -z file,test.txt http://example/FUZZ

Updated 2026-04-16kali.org ↗